15. Privacy protection


This module summarises Chapter 15 which focuses on policy measures to protect privacy. It introduces the main elements of a government policy framework to protect privacy and provides an overview of the situation in the LAC region. Finally, it provides a set of good practices, with a focus on the need to promote privacy risk management as a useful and relevant methodology for all data controllers to protect privacy.

Explore this module

Main policy objectives
Tools for measurement and analysis
The LAC region
Leading good practices


Main policy objectives

the main policy objective for privacy protection is to develop and implement a policy framework that protects privacy while i) encouraging the use of the digital environment for economic and social prosperity; and ii) enabling transborder flows of personal data through appropriate international policy and legal interoperability. This general policy goal can be met through policy tools, such as:

  • Developing a national privacy strategy
  • Implementing accountability
  • Free data flow and legitimate restrictions
  • International co-operation and interoperability

+ content

Tools for measurement and analysis

There is no general agreement on indicators to measure the various aspects of privacy protection policy frameworks. However, in the context of their reporting and transparency obligation, privacy enforcement authorities generally publish an annual report reflecting their activities. This includes statistics on, for example:

  • number of complaints received
  • number of requests for information from individuals and data controllers
  • number of fines, etc.

Unfortunately, the methodologies to collect and aggregate data are generally not comparable, and there is no systematic comparative analysis of these statistics, whether at the regional or international level.

+ content

Overview of the situation in the LAC region

In recent years, many LAC countries have passed laws, regulations and policies to protect privacy and personal data as a fundamental human right, in line with various international and regional instruments on data protection. Brazil, Colombia, Costa Rica, the Dominican Republic, Ecuador, Mexico, Nicaragua, Peru and Uruguay are among the LAC countries with data protection legislation and regulation in force. Only one country (Mexico) has moved to a pro-active co-regulatory approach that includes the use and implementation of binding self-regulation on data protection. It has minimal regulatory restrictions on cross-border data flows, to facilitate trade and the exchange of data with third countries while encouraging technology innovation. However, the majority of countries of LAC still face numerous challenges, including:

  • pro-active enforcement of data protection laws and regulations by the DPA
  • encouragement of privacy management programmes that include obligations to respond, notify and provide redress to data subjects in case of a security breach affecting personal information
  • harmonised cross-border privacy co-operation with other DPAs and law enforcement authorities, and encouragement of interoperability with other regional and national frameworks on privacy and data protection (e.g. APEC’s Privacy Framework).

The majority of LAC countries have not developed national privacy strategies that take into consideration the recommendations in the OECD Privacy Guidelines. In addition, DPAs in LAC countries have not been conducting ongoing national campaigns for the protection of personal data that help to comply with the laws and regulations on privacy and data protection and to inform users about the mechanisms available to help them exercise their data protection rights.

Implementation of cross-border co-operation agreements to enforce privacy laws in LAC countries is limited. Only Argentina, Colombia and Mexico are members of the GPEN through their respective DPAs. National budget constraints are likely to be among the reasons for this, given that few countries have allocated annual budgets in this area.

The data protection laws of Colombia, Peru and Mexico contain provisions for the use of standard contractual clauses, binding corporate rules and other legal instruments to conduct international transfers of data to third countries. However, such mechanisms have not yet been fully implemented at a practical level, and the DPAs of LAC countries have not yet made official statements on the validity of such instruments.

+ content

Good practices

Good regulatory practice in the area of privacy protection includes the promotion of privacy risk management by the policy makers of LAC countries, as a useful methodology for data controllers to protect privacy. This is perhaps one of the greatest challenges in the region, since it is a novel concept and the consensus is that “work is needed to understand practical applications and implications” of privacy risk management. National privacy strategies could incorporate each of the policies contained in Part Five of Principle 19 of the OECD Revised Privacy Guidelines (OECD, 2013):

  • Develop national privacy strategies that reflect a co-ordinated approach across governmental bodies
  • adopt laws protecting privacy
  • establish and maintain privacy enforcement authorities with the governance, resources and technical expertise necessary to exercise their powers effectively and to make decisions on an objective, impartial and consistent basis
  • encourage and support self-regulation, whether in the form of codes of conduct or otherwise
  • provide for reasonable means for individuals to exercise their rights
  • provide for adequate sanctions and remedies in case of failures to comply with laws protecting privacy
  • consider the adoption of complementary measures, including education and awareness raising, skills development, and the promotion of technical measures that help to protect privacy
  • consider the role of actors other than data controllers, in a manner appropriate to their individual role ensure that there is no unfair discrimination against data subjects.

The broad implementation of the accountability principle is also relevant. A data controller should in this sense (OECD, 2013):

  • Have in place a privacy management programme that:

    • gives effect to these Guidelines for all personal data under its control
    • is tailored to the structure, scale, volume and sensitivity of its operations
    • provides for appropriate safeguards based on privacy risk assessment
    • is integrated into its governance structure and establishes internal oversight mechanisms
    • includes plans for responding to inquiries and incidents
    • is updated in light of ongoing monitoring and periodic assessment.

  • Be prepared to demonstrate its privacy management programme as appropriate, in particular at the request of a competent privacy enforcement authority or another entity responsible for promoting adherence to a code of conduct or similar arrangement giving binding effect to these Guidelines.

  • Provide notice, as appropriate, to privacy enforcement authorities or other relevant authorities where there has been a significant security breach affecting personal data. Where the breach is likely to adversely affect data subjects, a data controller should notify affected data subjects.

+ content


Introduction •  Regulatory frameworks and digital strategies •  Spectrum policy •  Competition and infrastructure bottlenecks •  Extending broadband access and services •  Affordability, government charges and digital inclusion •  Convergence •  Regional integration •  Skills and Jobs •  Business uptake, entrepreneurship and digital content •  E-health •  Digital government •  Consumer protection and e-commerce •  Digital security management •  Privacy protection


Related Documents