https://orcid.org/0000-0001-5421-4782
![Sample our Politics & International Relations journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5947/TOC-Subject-Sample-2021-Politics-International-Relations.jpg"})
ABSTRACT
The right to privacy and data protection are key elements to understand how data has become the centerpiece of many changes in human interaction, new business models and technological development in an increasingly hyperconnected world. In a so-called data driven economy, the task of asserting principles, concepts and legal bases for data processing is fundamental to devise how such rights can be indeed protected. The Inter-American System of Human Rights recognises this right. In contrast to the European system that since 2000 recognises the right to data protection as an autonomous right – differentiating it from the right to privacy – the Inter-American System is on track to improve the standards of protection of both rights. Considering all thirty-five States of the Americas, eighteen have a specific data protection regulation; seven are discussing the Bill and eleven do not have a specific data protection regulation. The purpose of this article is to present the stage of development of the inter-American System of Human Rights in relation to the protection of the right to privacy and data protection and also demonstrate the challenges that such system will have to face as it move towards the effective guarantee of such rights.
Disclosure statement
No potential conflict of interest was reported by the author(s).
Notes on contributor
Carlos Affonso Souza, PhD and a Master’s Degree in Civil Law from Rio de Janeiro State University (UERJ). Law Professor at UERJ and at the Pontifical Catholic University of Rio de Janeiro (PUC-Rio). Visiting professor at the University of Ottawa and an affiliated fellow at the Information Society Project, Yale Law School. Co-founder and Director of the Institute for Technology & Society of Rio de Janeiro (ITS Rio).
Caio César de Oliveira, Fellow at the Institute of Technology and Society of Rio de Janeiro (ITS-Rio). Master’s degree from the University of São Paulo (USP). Director of the New Lawyers Commission at the São Paulo Lawyers Institute (CNA/IASP). Lawyer.
Christian Perrone, PhD Candidate and Fulbright Scholar. (Georgetown University) on International Law and the Internet, LL.M. Cambridge University (UK); Diploma EUI on International Human Rights. Former Secretary of the Inter-American Juridical Committee (OAS) and Human Rights Specialist at the Inter-American Commission on Human Rights and the Inter-American Court of Human Rights. Lawyer and Senior Researcher at Institute for Technology & Society of Rio de Janeiro (ITS Rio).
Giovana Carneiro, Undergraduate student at the Rio de Janeiro State University (UERJ), Faculty of Law. Diploma on Private International Law (The Hague Academy of International Law, The Hague, The Netherlands, 2019). Junior Researcher at Institute for Technology & Society of Rio de Janeiro (ITS Rio).
Notes
1 ‘Inter-American Human Rights System’, International Justice Resource Center (IJRC), https://ijrcenter.org/regional/inter-american-system/ (accessed May 03, 2020).
2 OAS, ‘What is the IACHR?’, About the IACHR, https://www.oas.org/en/iachr/mandate/what.asp (accessed May 03, 2020). The Court is, in principle, the interpretative authority under the Inter-American Convention on Human Rights, yet its jurisdiction, under principles of public international law, is constrained by both the States that adhere to the Convention and those that accepted it jurisdiction either a compulsory matter or in a ad hoc fashion. This means that whereas the Commission can act in regard to the whole 35 members of the OAS, the Court only to the members bound by the American Convention and that accepts its jurisdiction.
3 IACHR, Strategic Plan 2017–2021, https://www.oas.org/en/iachr/mandate/StrategicPlan2017/docs/StrategicPlan2017-2021.pdf.
4 For an overall understanding of the IACHR, the organisational charter is available at: https://www.oas.org/en/iachr/mandate/docs/Organization-chart-IACHR.pdf.
5 A general view on the IACHR rapporteurships is available at: https://www.oas.org/en/iachr/mandate/rapporteurships.asp.
6 A list of the Inter-American human rights instruments is available at: https://www.corteidh.or.cr/instrumentos-en.cfm.
7 It is widely understood that the Court has four types of jurisdiction: adjudicative, advisory, provisional
8 United Nations, Frank La Rue, Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, May 16, 2011, https://www2.ohchr.org/english/bodies/hrcouncil/docs/17session/A.HRC.17.27_en.pdf.
9 Samuel D. Warren and Louis D. Brandeis, ‘The Right to Privacy’, Harvard Law Review 4, no. 5 (1890): 193–220.
10 Viktor Mayer-Schönberger, ‘General development of data protection in Europe’, in Technology and privacy: The new landscape (Cambridge: MIT Press, 1997).
11 In 2018, it was approved a modernised version of the Convention known as Convention 108+.
12 Christopher Kuner, Fred H Cate, Orla Lynskey, Christopher Millard, Nora Ni Loideain, and Dan Jerker B. Svantesson, ‘Introducing the global data privacy prize’, International Data Privacy Law 9, no. 1 (February 2019): 1, https://doi.org/10.1093/idpl/ipz002.
13 In a handbook relatively recently published in conjunction by the EU and the Council of Europe they showcase the intertwined nature of both rights: ‘The right to respect for private life and the right to the protection of personal data are closely related. Both strive to protect similar values, i.e. the autonomy and human dignity of individuals, by granting them a personal sphere in which they can freely develop their personalities, think and shape their opinions’. European Union Agency for Fundamental Rights and Council of Europe, Handbook on European data protection law (2018), https://www.echr.coe.int/Documents/Handbook_data_protection_ENG.pdf.
14 ECtHR, Case Arvelo Apont v the Netherlands App no 28770/05, judgement of 3 November, 2011, para. 53.
15 ECtHR, Case Certain aspects of the Laws on the Use of Languages in Education in Belgium v Belgium App nos 1474/62, 1677/62, 1691/62, 1769/63, 1994/63 and 2126/64, judgement of 23 July, 1968; ECtHR, Case Marckx v Belgium App no 6833/74, judgement of 13 June, 1979. An interesting overview of this aspect can be found at: A.R. Mowbray, The Development of Positive Obligations under the European Convention on Human Rights by the European Court of Human Rights (Oxford: OUP, 2004).
16 At the X v. Iceland Case, for instance the Court understood that ‘[the right of privacy] comprises also, to a certain degree, the right to establish and to develop relationships with other human beings, especially in the emotional field for the development and fulfilment of one’s own personality’. (ECtHR, Case X v Iceland App no 6825/74, judgement of 18 May, 1976).
17 ECtHR, Case Mikulić v. Croatia, no. 53176/99, judgement of 7 February, 2002, para. 53.
18 Both in the imparting and receiving side. For the latter, the leading case is Odièvre v. France, dealing with a French procedure that allowed the identity of the mother be a secret preventing the child to know her origins. To one side a personal information protects, to the other, a personal information (family origin) kept from the data subject (ECtHR, Case Odièvre v. France, judgement of 13 February, 2003).
19 ECtHR, Case Z. v. Finland App no. 22009/93 judgement of 25 February, 1997; ECtHR, Case M. S. v. Sweden, judgement of 2 August, 1997. In the former the Court stated that it would ‘take into account that the protection of personal data, not least medical data, is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life as guaranteed by Article 8 of the Convention (art. 8). Respecting the confidentiality of health data is a vital principle in the legal systems of all the Contracting Parties to the Convention’ (para. 95).
20 In COE’s and EU’s Handbook, it is stated that ‘[o]ver the years, the Court has ruled that personal data protection is an important part of the right to respect for private life (Article 8), and has been guided by the principles of Convention 108 in determining whether or not there has been an interference with this fundamental right’. European Union Agency for Fundamental Rights and Council of Europe, Handbook on European Data Protection Law (2018).
21 The connection between privacy to personal identification can be seen for instance at the Case Burghartz v. Switzerland dealing with the correction of stored personal data, at this time, family surname. (ECtHR, Case Burghartz v. Switzerland, 22 February 1994, § 24, Series A no. 280-B).
22 ECtHR, Case Amann v. Switzerland [GC], No. 27798/95, judgement of 16 February 2000, para. 65; ECtHR, Case S. and Marper v. the United Kingdom, judgment (Grand Chamber) of 4 December 2008, para. 66.
23 OECD, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), https://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm (accessed May 03, 2020).
24 One should bear in mind that those two norms are not the only EU Laws that deal with data protection.
25 The Charter of Fundamental Rights of the EU grants two specific articles to deal with the matter, art. 7 and 8, rights to private life and data protection, respectively.
26 The cases from the IACtHR, as seen above, highlight the matter. Home: IACtHR, Case of the Ituango Massacres v. Colombia. Judgment of July 1, 2006. Merits, Reparations and Costs. Series C No. 148; IACtHR, Case Escué-Zapata v. Colombia. Judgment of July 4, 2007. Merits, Reparations and Costs. Series C No. 165; IACtHR, Case Fernández-Ortega et al. v. Mexico. Judgment of August 30, 2010. Merits, Reparations and Costs. Series C No. 215. Communications: IACtHR, Case Tristán Donoso v. Panama. Preliminary Objection, Merits, Reparations and Costs. Judgment of January 27, 2009. Series C No. 193; ase of Escher v. Brazil. Judgment of July 6, 2009. Merits, Reparations and Costs. Series C No. 200. Family life: IACtHR, Case Escué-Zapata v. Colombia. Judgment of July 4, 2007. Merits, Reparations and Costs. Series CNo. 165; IACtHR, Case Atala Riffo and children vs. Chile, Sentencia de Merits, Reparations and Costs, of February 24, Series C No.; IACtHR, Case Artavia Murillo and Others (‘In vitro fecundation’) vs. Costa Rica, Preliminary Objection, Merits, Reparations and Costs, judgement of November 28, 2012, Series C No.
27 Office of the Special Rapporteur for Freedom of Expression of the IACHR. Standards for a Free, Open and Inclusive Internet (2016), para. 186, https://www.oas.org/en/iachr/expression/docs/publications/INTERNET_2016_ENG.pdf.
28 ‘Art. 11(2): No one may be the object of arbitrary or abusive interference with his private life, his family, his home, or his correspondence, or of unlawful attacks on his honor or reputation’. (Art. 11(2) American Convention on Human Rights, 1989).
29 There are Latin American scholars who understand that the development of the right to privacy has been mostly focused on personal development than personal data. María Solange Maqueo Ramírez, Jimena Moreno González, and Miguel Recio Gayo, ‘Protección de datos personales, privacidad y vida privada: la inquietante búsqueda de un equilibrio global necesario’, Revista de Derecho (Valdivia) XXX, no. 1 (2017): 77–96, https://scielo.conicyt.cl/pdf/revider/v30n1/art04.pdf.
30 Ramírez, González, and Gayo, ‘Protección de datos personales, privacidad y vida privada’.
31 At the Universal System, there has been lately a higher emphasis on data protection as a human right. See for instance: UNGA Res. 68/167, The Right to Privacy in the Digital Age (Jan. 21, 2014); UNGA Res. 69/166, The Right to Privacy in the Digital Age (Dec. 18, 2014); UNGA Res. 71/199, The Right to Privacy in the Digital Age (Dec. 19, 2016); Human Rights Council Res. 28/16 (Mar. 24, 2015). In the past, the UN Human Rights Committee has addressed the issue under the heading of ‘[t]he gathering and holding of personal information on computers, data banks and other devices, whether by public authorities or private individuals or bodies, must be regulated by law’ (UN Human Rights Committee, General Comment no. 16, Article 17 (The right to respect of privacy, family, home and correspondence, and protection of honour and reputation), HRI/GEN/1/Rev.9 (Vol. I), 8 April 1988.) As a part of the UN general response on the matter, it had as well the non-binding Guidelines for the Regulation of Computerized Personal Data Files, UNGA Res. 45/95 (Dec. 14, 1990).
32 Brazil has approved in a committee of its Lower Chamber an Amendment to its Constitution that would include autonomously data protection as a fundamental right. Brazil, PEC 17/2019, https://www.camara.leg.br/proposicoesWeb/fichadetramitacao?idProposicao=2210757 (accessed 03 May, 2020).
33 IACtHR, Case Tristán Donoso vs. Panama, Judgement of 27 January, 2009, Merits, Reparations and Costs, paras. 55 and 76; and IACtHR, Case Escher et al. vs. Brazil, Judgment of July 6, 2009. Merits, Reparations and Costs. Series C No. 200. para. 114.
34 IACtHR, Case Escher et al. vs. Brazil, Judgment of July 6, 2009. Merits, Reparations and Costs. Series C No. 200. para. 115.
35 IACtHR, Case Fernández Ortega et al. vs. México, Judgement of 30 August, 2010, Merits, Reparations and Costs, para. 129; and Caso Rosendo Cantú et al. vs. México, Judgement of 31 August, 2010, Merits, Reparations and Costs, para. 119.
36 IACtHR, Case Atala Riffo and Daughters vs. Chile, Judgement of 24 February, 2012, para. 162.
37 IACtHR, Case Artavia Murillo et al. (‘In vitro fertilization’) vs. Costa Rica, Judgement of 28 November, 2012, Merits, Reparations and Costs, para. 143. (Original footnotes omitted).
38 IACHR, Report of the Special Rapporteur for Freedom of Expression (2013), Chapter IV (Freedom of Expression and the Internet). OEA/Ser.L/V/II.149. Doc. 50. December 31, 2013. para. 131.
39 IACHR, Report of the Special Rapporteur for Freedom of Expression (2013), Chapter IV (Freedom of Expression and the Internet). OEA/Ser.L/V/II.149. Doc. 50. December 31, 2013. para. 138. (grifo provided).
40 Office of the Special Rapporteur for Freedom of Expression of the IACHR, Standards for a Free, Open and Inclusive Internet (2016), para. 199, https://www.oas.org/en/iachr/expression/docs/publications/INTERNET_2016_ENG.pdf.
41 Office of the Special Rapporteur for Freedom of Expression of the IACHR, Standards for a Free, Open and Inclusive Internet (2016), para. 204, https://www.oas.org/en/iachr/expression/docs/publications/INTERNET_2016_ENG.pdf.
42 Office of the Special Rapporteur for Freedom of Expression of the IACHR, Standards for a Free, Open and Inclusive Internet (2016), para. 202, https://www.oas.org/en/iachr/expression/docs/publications/INTERNET_2016_ENG.pdf.
43 IACHR, Annual Report of the Office of the Special Rapporteur for Freedom of Expression 2018 (2019), para. 404, https://www.oas.org/en/iachr/expression/docs/reports/annual/IA2018RELE-en.pdf.
44 Inter-American Juridical Committee of the Organization of American States, OAS Principles on Privacy and Personal Data Protection with Annotations (2015), https://www.oas.org/en/sla/dil/docs/CJI-doc_474-15_rev2.pdf.
45 More information on the standing of the Inter-American Human Rights System within the Organization of American States, see: https://www.oas.org/en/about/what_we_do.asp.
46 See for instance: OAS, Access to Public Information: Strengthening Democracy (2009), AG/RES. 2514 (XXXIX-O/09), https://www.oas.org/en/sla/dil/docs/AG-RES_2514-2009_eng.pdf, Access to Public Information: Strengthening Democracy (2008), AG/RES. 2418 (XXXVIII-O/08), https://www.oas.org/en/sla/dil/docs/AG-RES_2418_XXXVIII-O-08_en.pdf, Access to Public Information: Strengthening Democracy (2007), AG/RES. 2288 (XXXVII-O/07), https://www.oas.org/DIL/AG-RES_2288_XXXVII-O-07_eng.pdf and Model Inter-American Law on Access to Public Information (2010), AG/RES. 2607 (XL-O/10), https://www.oas.org/dil/AG-RES_2607-2010_eng.pdf.
47 OAS, Commentary And Guide For Implementation For The Model Inter- American Law On Access To Information (2010), item D (4), 5, https://www.oas.org/dil/AG-RES_2607-2010_eng.pdf.
48 OAS, Department of International Law, of the Secretariat for Legal Affairs, Preliminary Principles and Recommendations on Data Protection (The Protection of Personal Data) (2010/2011), https://www.oas.org/dil/CP-CAJP-2921-10_rev1_corr1_eng.pdf.
49 OAS, Access To Public Information And Protection Of Personal Data (2011), AG/RES. 2661 (XLI-O/11), https://www.oas.org/DIL/AG-RES_2661-XLI-O-11_eng.pdf.
50 OAS, Department of International Law, of the Secretariat for Legal affairs, Comparative Study: Data Protection In The Americas, Different existing legal regimes, polices and enforcement mechanisms for the protection of personal data, including domestic legislation, regulation, and self-regulation (2012), https://www.oas.org/es/sla/ddi/docs/CP-CAJP-3063-12_en.pdf.
51 Inter-American Juridical Committee of the Organization of American States, Privacy and Data Protection (2015), CJI/doc. 474/15 rev.2, p.1, https://www.oas.org/en/sla/dil/docs/CJI-doc_474-15_rev2.pdf.
52 Inter-American Juridical Committee of the Organization of American States, Privacy and Data Protection (2015), CJI/doc. 474/15 rev.2, p.3, https://www.oas.org/en/sla/dil/docs/CJI-doc_474-15_rev2.pdf.
53 Inter-American Juridical Committee of the Organization of American States, Privacy and Data Protection (2015), CJI/doc. 474/15 rev.2, pp. 6–19, https://www.oas.org/en/sla/dil/docs/CJI-doc_474-15_rev2.pdf.
54 The European Human Rights System does not outright adopt standards of data protection from the GDPR or of the former European normative the Directive 46/95. Yet, the EU standards serve as guidance and further evidence that data protection is a right and safeguarded under the domestic law of each country member.
55 UNCTAD, Data Protection and Privacy Legislation Worldwide database, https://unctad.org/en/Pages/DTL/STI_and_ICTs/ICT4D-Legislation/eCom-Data-Protection-Laws.aspx (accessed January 27, 2020). There is dispute on these numbers, Although the classification as a general data protection regulation varies, it is clear that more than 100 jurisdictions in the world do have a privacy and data protection legislation.
56 Economic Commission for Latin America and the Caribbean (ECLAC), Corporate governance and data protection in Latin America and the Caribbean, Production Development series, no. 223 (LC/TS.2019/38), Santiago, 2019, p.32, https://repositorio.cepal.org/bitstream/handle/11362/44629/S1900395_en.pdf?sequence=1&isAllowed=y.
57 Ibid.
58 Economic Commission for Latin America and the Caribbean (ECLAC), Corporate governance and data protection in Latin America and the Caribbean, Production Development series, no. 223 (LC/TS.2019/38), Santiago, 2019, p. 33, https://repositorio.cepal.org/bitstream/handle/11362/44629/S1900395_en.pdf?sequence=1&isAllowed=y.
59 Article 29 of the American Convention supports such interpretation. It states that rights established domestically should be treated and guaranteed as well, in verbis:
Art. 29 No provision of this Convention shall be interpreted as: […]
b. restricting the enjoyment or exercise of any right or freedom recognised by virtue of the laws of any State Party[; or]
c. precluding other rights or guarantees that are inherent in the human personality or derived from representative democracy as a form of government.
60 OAS, Department of International Law, of the Secretariat for Legal affairs, Comparative Study: Data Protection in the Americas, Different existing legal regimes, polices and enforcement mechanisms for the protection of personal data, including domestic legislation, regulation, and self-regulation (2012), 8, https://www.oas.org/es/sla/ddi/docs/CP-CAJP-3063-12_en.pdf.
61 Organization of Eastern Caribbean States (OECS), ‘Data Protection Act’ (2016), https://www.oecs.org/en/procurement/e-gov/data-protection-act.
62 ‘Economic Partnership Agreement between the CARIFORUM States and the European Community’, 2008, https://www.sice.oas.org/Trade/CAR_EU_EPA_e/careu_in_e.ASP.
63 José Augusto Fontoura Costa, ‘Data Protection in International Trade Law’, Data Protection in the Internet, eds. Dário Moura Vicente and Sofia de Vasconcelos Casimiro (Switzerland: Springer, 2020): 487.
64 CARICOM’s Member States are 15: Antigua and Barbuda, Bahamas, Barbados, Belize, Dominica, Grenada, Guyana, Haiti, Jamaica, Montserrat, Saint Lucia, St Kitts and Nevis, St Vincent and the Grenadines, Suriname and Trinidad and Tobago. There are also 5 associate members, namely Anguilla, Bermuda, British Virgin Islands, Cayman Island and Turks and Caicos Islands. CARICOM, https://caricom.org/about-caricom/who-we-are/our-governance/members-and-associate-members/ (accessed May 03, 2020).
65 EU, European Commission, ‘Adequacy decisions’, https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en (accessed May 03, 2020).
66 The Proposal was not yet voted by the National Congress in its entirety. Brazil, National Congress, https://www.camara.leg.br/proposicoesWeb/fichadetramitacao?idProposicao=2210757 (accessed May 03, 2020).
67 See for instance Anderson Schreiber. Anderson Schreiber, ‘PEC 17/19: Uma Análise Crítica’, Gen Jurídico (2019), https://genjuridico.com.br/2019/07/19/analise-critica-pec-17-2019/.
68 ‘The Dominican Republic Works on New Data Protection Law’, Council of Europe (December 18, 2019), https://www.coe.int/en/web/cybercrime/-/glacy-the-dominican-republic-works-on-new-data-protection-law
69 Bartlett D. Morgan, ‘Barbados, A Modern Data Protection Regime’, Data Guidance (September 2019), https://platform.dataguidance.com/opinion/barbados-modern-data-protection-regime.
70 Jaime Urzúa. Avances en el Proyecto de ley sobre protección de datos personales: Consejo para la Transparencia será la nueva Agencia de protección de datos (September 2019), https://www.alessandri.legal/avances-en-el-proyecto-de-ley-sobre-proteccion-de-datos-personales/.
71 Local scholars consider two existing alternatives: a new body of regulation or deliverying the attribution to an existing body, the Transparency Counsel – Consejo para la Transparencia – CPLT (María Paz Canales and Pablo Viollier, ‘Chile necesita una regulación de protección de datos con dientes’, Derechos Digitales (July 12, 2019), https://www.derechosdigitales.org/13443/proteccion-de-datos-con-dientes/). Most recent news has indicated that the Congress would end up choosing the second one, but there are still concerns as to its independence and autonomy (Jaime Urzúa. Avances en el Proyecto de ley sobre protección de datos personales: Consejo para la Transparencia será la nueva Agencia de protección de datos (September 2019), https://www.alessandri.legal/avances-en-el-proyecto-de-ley-sobre-proteccion-de-datos-personales/).
72 ‘European Commission Joint press statement by Commissioner Věra Jourová and Felipe Larraín Bascuñán, Minister of Finance, and Hernán Larraín Fernández, Minister of Justice and Human Rights of Chile on cooperation on data protection’, European Commission Statements, 2019, https://ec.europa.eu/commission/presscorner/detail/en/STATEMENT_19_4029 (accessed May 03, 2020).
73 One example is the creation of the unit for dealing with LGBTI right in 2011 and this further development in a Rapporteurship. IACHR, IACHR Creates Unit on the Rights of Lesbian, Gay, Bisexual, Trans, and Intersex Persons (November 3, 2011), https://www.oas.org/en/iachr/media_center/PReleases/2011/115.asp (accessed May 03, 2020). The Commission also amended its rules on prioritising cases, the registry of individual petitions tends to take from 2 to 4 years and then starts the petition’s processing. Petitions concerned LGBTI rights took priority and were reviewed in advance.
74 Another example comes from the institution of an Office of the Special Rapporteur on Economic, Social, Cultural, and Environmental Rights: https://www.oas.org/en/iachr/media_center/PReleases/2014/034.asp.
75 Mexico and Brazil, for instance, are amongst the top ten heaviest users of digital services, particularly, social media platforms. (UN ECLAC, Regional digital market Strategic aspects (2018), p. 7ff., https://www.cepal.org/en/publications/43633-regional-digital-market-strategic-aspects).
76 One cannot forget the risk that comes from private sources of ‘surveillance’. Zuboff’s understanding of an ‘age of surveillance capitalism’ certainly adds to concerns of using the structure of data flows created for the digital environment to be used in a variety of dubious or even unscrupulous ways (Shoshana Zuboff, The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power (PublicAffairs, 2019)).
77 Monika Zalnieriute, Lyria Bennett Moses and George Williams, ‘The Rule of Law and Automation of Government Decision-making’, Modern Law Review, 2019, v. 82(3).
78 Calo, for instance state that there is a difference between robots and technologies such as the internet, because robots can cause physical harm, their ‘habitat’ is not the cyberspace, but the same plane as us, the physical world. (Ryan Calo, Robotics and the Lessons of Cyberlaw (2015), 103 CALIF. L. REV. 513: 515).
79 The internet of things is a term used to describe the usage of sensors and algorithms to connect everyday objects to the internet. This means they can execute many of their functions online and receive and impart information online.
80 Lee mentions for instance the fast transition in China to a O2O economy (online to offline) and predicts that in no time we will be having a OMO (Online Merges Offline). Kai-Fu Lee, Artificial Intelligence (2017): 88.
81 Thas A. Nirmalathas, ‘How Is the Networked Society Impacting Us?’, Proceedings of the IEEE 106, no. 3 (2018), https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8303874.
82 Some business models are being tested that connect to. They have fridges that can send alerts when you are running out of supplies. Or Amazon’s Alexa, for instance, can place a call and order food for you. It is seamless integration with our environments and our homes.
83 From the standpoint of the public-private space available in stores, for example, strategies are being developed for shopping malls to survive in the digital age. Roberto Fantoni, Fernanda Hoefel and Marina Mazzarolo. ‘The future of the shopping mall’, McKinsey&Company Report (November 2014), https://www.mckinsey.com/business-functions/marketing-and-sales/our-insights/the-future-of-the-shopping-mall.
84 There are many possible benefits and some highlight the fact that such technologies coupled with artificial intelligence make them capable of evolving not only serving as specific tools to stop crime, but also to prevent it. About such evolving capabilities see: Markus Christen, Thomas Burri, Joseph Chapa, Raphael Salvi, Filippo Santoni de Sio, and John Sullins, ‘An Evaluation Schema for the Ethical Use of Autonomous Robotic Systems in Security Applications’, University of Zurich Digital Society Initiative White Paper Series, no. 1 (25 November 2018).
85 Zittrain cautions us about too much haste in judgment. He has called our attention that the impacts of technology can only be understood through their use due to the fact that while we use them we change actually change them. The example he gave was how the internet has changed from providing access points to information to a collaborative effort that all can share their views and thoughts, from passive to active. (Jonathan Zittrain, ‘The Generative Internet’, Harvard Law Review 119 (2006): 1975 ff.).
86 Jessica Fjeld, Nele Achte, Hannah Hilligoss, Adam Christopher Nagy, and Madhulika Srikumar, Principled Artificial Intelligence:Mapping Consensus in Ethical and Rights-based Approaches to Principles for AI (Berkman Klein Center for Internet and Society at Harvard University: 2020), 20, https://cyber.harvard.edu/publication/2020/principled-ai.
87 AI demands much data in order to train the algorithm, some of the data is personal. Another characteristic of this technology is the need for constant interaction in order to continuously learn. Thus, constant access to data. One of the questions is whether one can eliminate data that is in the basis of the AI, that was used to iterate and train the algorithm. It might render it less effective for everyone.
88 Balkin, talking about robotics hinted that we should not fall into the alarmists of neither side, nor the ones can only see opportunities, nor the ones that only see harm with such new technologies. (Jack M. Balkin, ‘The Path of Robotics’, California Law Review Circuit 6 (June 2015): 54–55).
89 ‘Countries Are Using Apps and Data Networks to Keep Tabs on the Pandemic’, The Economist, March 26, 2020, https://www.economist.com/briefing/2020/03/26/countries-are-using-apps-and-data-networks-to-keep-tabs-on-the-pandemic?fsrc=newsletter&utm_campaign=the-economist-today&utm_medium=newsletter&utm_source=salesforce-marketing-cloud&utm_term=2020-03-27&utm_content=article-link-1.
90 IACHR, ‘Resolution no. 01/2020: Pandemic and Human Rights in the Americas’ (2020), https://www.oas.org/en/iachr/decisions/pdf/Resolution-1-20-en.pdf.
91 Ibid., 4.
92 Ibid., 12–13, item 35.
93 Privacy International, for example, has called attention to the enthusiasm of the implementation of technologies that use biometric data within the developing world and in particular in Latin America. See: Privacy International, Biometrics: Friend or Foe of Privacy? (2017), https://privacyinternational.org/sites/default/files/2017-11/Biometrics_Friend_or_foe.pdf.
94 The comparisons between credit card fraud and id theft comes to mind. One can order a different credit card number, but not a different face or actual identity.
95 Most national general data protection legislations in the Americas recognise that there are categories of personal data that are ‘sensitive’, following a language used within the European context.
96 Inter-American Juridical Committee of the Organization of American States, Privacy and Data Protection (2015), CJI/doc. 474/15 rev.2, p.3, https://www.oas.org/en/sla/dil/docs/CJI-doc_474-15_rev2.pdf.
97 There is a wealth of discussion on the matter, but a general view outcry can be found at: O’Neil Catherine, Weapons of Math Destruction: How Big Data Increases Inequality and Threatens Democracy (New York: Crown, 2016).
98 Amazon, for example, had to cancel the use of a AI hiring algorithm for a similar flaw (Jeffrey Dastin, ‘Amazon Scraps Secret AI Recruiting Tool that Showed Bias Against Women’, Reuters, October 10, 2018, https://www.reuters.com/article/us-amazon-com-jobs-automation-insight/amazon-scraps-secret-ai-recruiting-tool-that-showed-bias-against-women-idUSKCN1MK08G). For an analysis of similar cases, see: Sara Wachter-Boettcher, Technically Wrong: Sexist Apps, Biased Algorithms, and Other Threats of Toxic Tech (London: W. W. Norton & Company, 2017) and Catherine O’Neil, Weapons of Math Destruction: How Big Data Increases Inequality and Threatens Democracy (New York: Crown, 2016).
99 Karen Hao, ‘This is How AI Bias Really Happens – and Why It’s So Hard to Fix’, MIT Technology Review, February 04, 2014, https://www.technologyreview.com/s/612876/this-is-how-ai-bias-really-happensand-why-its-so-hard-to-fix/; Sara Wachter-Boettcher, Technically Wrong: Sexist Apps, Biased Algorithms, and Other Threats of Toxic Tech (London: W. W. Norton & Company, 2017); Danielle Keats Citron and Frank Pasquale, ‘The Scored Society: Due Process for Automated Predictions’, Washington Law Review 89 (2014): 1; Catherine O’Neil, Weapons of Math Destruction: How Big Data Increases Inequality and Threatens Democracy (New York: Crown, 2016).
100 Michael Kosinski, David Stillwell, and Thore Graepel, ‘Private Traits and Attributes are Predictable from Digital Records of Human Behavior’, PNAS 110, no. 15 (April 2013): 5802–05, https://doi.org/10.1073/pnas.1218772110.
101 For a general view of the matter with critical overtunes, see: Sandra Wachter and Brent Mittelstadt, ‘A Right to Reasonable Inferences: Re-Thinking Data Protection Law in the Age of Big Data and AI’, Columbia Business Law Review, no. 2 (2019).
102 One major concern for the Americas and particularly for Latin America is the protection of journalists, artists and political opposition. Such technologies may make it easier to find, track and surveil them.
103 One very clear way people see it is their ‘news feeds’ in social network. It automatically organises the information we see, and this determines what we see first, allegedly so that we can more easily find the information we are more interested in. For more information on how such automated algorithms work and their consequences see: Eli Pariser, The Filter Bubble: How the New Personalized Web is Changing What We Think and How We Read (Penguin, 2011), Introduction and Chapter 1.
104 Frank Pasquale, ‘Restoring Transparency to Automated Authority’, J. On Telecomm. & Hightech. L. 9 (2011): 235; Lilian Edwards and Michael Veale, ‘Enslaving the Algorithm: From a “Right to an Explanation” to a “Right to Better Decisions”?’, IEEE Security & Privacy 16, no. 3 (2018): 46–54, 47; Margot E. Kaminski, ‘The Right to Explanation, Explained’, U of Colorado Law Legal Studies, Research Paper No. 18–24 (15 June 2018), 10; Izak Mendoza and Lee A. Bygrave, ‘The Right Not to Be Subject to Automated Decisions Based on Profiling’, in EU Internet Law: Regulation and Enforcement, ed. Tatiani Synodinou et al. (Springer, 2017), 7.
105 The research was conducted by cross checking three databases, namely: UNCTAD, https://unctad.org/en/Pages/DTL/STI_and_ICTs/ICT4D-Legislation/eCom-Data-Protection-Laws.aspx (accessed January 27 2020); DLA Piper Data Protection Laws of the World, https://www.dlapiperdataprotection.com (accessed January 27, 2020); Baker McKenzie Global Data Privacy & Security Handbook, https://globaltmt.bakermckenzie.com/data-privacy-security%20 (accessed January 27, 2020); Graham Greenleaf, Greenleaf’s Global Table of Data Privacy Laws and Bills (Greenleaf, Graham, Global Tables of Data Privacy Laws and Bills) (January 2019), https://ssrn.com/abstract=3380794 (accessed January 27, 2020), and individual research by the authors.
106 Republic of Antigua and Barbuda, ‘Data Protection Act’ (2013), https://laws.gov.ag/wp-content/uploads/2019/02/a2013-10.pdf (accessed January 27, 2020).
107 Republic of Antigua and Barbuda, Information Commissioner.
108 Republic of Antigua and Barbuda, ‘The Antigua and Barbuda Constitutional Order 1981’, Article 3(c) of the Constitution states as a fundamental right ‘his family life, his personal privacy, the privacy of his home and other property and from deprivation of property without fair compensation’, https://pdba.georgetown.edu/Constitutions/Antigua/antigua-barbuda.html (accessed January 27, 2020).
109 Argentina, Ley 25.326/2000, https://www.argentina.gob.ar/normativa/nacional/ley-25326-64790 (accessed January 27, 2020). The main regulation Decree is the Decreto Regulamentario 1558/2001, https://www.argentina.gob.ar/normativa/nacional/decreto-1558-2001-70368. Important to mention that in 2018 the Congress has received a proposal of an updated Data Protection Law. An initial analysis of the project by the Civil Rights Association (Asociación por los Derechos Civiles) can be seen at https://adc.org.ar/informes/analisis-inicial-del-proyecto-de-ley-de-proteccion-de-datos-personales-de-argentina/ (accessed January 27, 2020).
110 Ibid., Ley 25.326/2000, Article 12.
111 Argentina, Dirección Nacional de Protección de Datos Personales (DNPDP), part of the Agencia de Aceso a la Información Pública (AAIP), https://www.argentina.gob.ar/aaip (accessed January 27, 2020).
112 Argentina, ‘Constitution of the Argentine Nation’, Article 43, §3° of the Argentine Constitution foresees: ‘Any person shall file this action to obtain information on the data about himself and their purpose, registered in public records or data bases, or in private ones intended to supply information; and in case of false data or discrimination, this action may be filed to request the suppression, rectification, confidentiality or updating of said data’, https://www.biblioteca.jus.gov.ar/Argentina-Constitution.pdf (accessed January 27, 2020).
113 The Bahamas, Data Protection (Privacy of Personal Information) Act (2003), https://laws.bahamas.gov.bs/cms/images/LEGISLATION/PRINCIPAL/2003/2003-0003/DataProtectionPrivacyofPersonalInformationAct_1.pdf (accessed January 27, 2020).
114 Ibid., Article 17 of Data Protection Act 2003.
115 The Bahamas, Data Protection Commissioner, https://bit.ly/2GeAB12 (accessed January 27, 2020).
116 The Bahamas, The Constitution of The Commonwealth of The Bahamas, https://bit.ly/2twNpxi (accessed January 27, 2020). The Constitution appears to focus at the protection for the privacy of the home, as per Articles 15(c) and 19(7).
117 Barbados, The Barbados Parliament, Data Protection Bill 2019. First draft in 2005. Follow legislative process here https://www.barbadosparliament.com/bills/details/396 (accessed January 27, 2020). First comments at Bartlett Morgan, Re: Comments on the Data Protection Bill (9 July 2019), https://ssrn.com/abstract=3418667.
118 In the draft bill, however, there is a provision for such establishment.
119 Barbados, Barbados Constitution, https://barbados.org/constitution.htm (accessed January 27, 2020), Section 2, Article 11(b) states provides as a fundamental right the ‘protection for the privacy of his home and other property and from deprivation of property without compensation’.
120 Belize, Constitution, https://nationalassembly.gov.bz/wp-content/uploads/2017/03/Belize-Constitution-2017updated-March.pdf (accessed January 27, 2020), Chapter 4, 3(c) of the Belizean Constitution provides as a fundamental right the ‘protection for his family life, his personal privacy, the privacy of his home and other property and recognition of his human dignity’.
121 Bolivia does not have a specific data protection law. However, the General Law of Telecommunications, Information and Communication Technologies (Ley General de Telecomunicaciones, Tecnologías de Información y Comunicación, Ley n° 164) does provide for data subject rights and other rules concerning personal data. See for instance Articles 54(9), 56 and 59(13), https://www.diputados.bo/leyes/ley-n°-164 (accessed January 27, 2020).
122 Bolivia, Constitución Política del Estado, https://www.diputados.bo/sites/default/files/cpe2014.pdf (accessed January 27, 2020). Article 21(2) of the Bolivian Constitution states that all bolivians have the right to privacy, intimacy, honour, self image and dignity.
123 Brazil, Federal Law n° 13.709/2018 (General Data Protection Law), https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/L13709.htm (in portuguese) and https://www.lgpdbrasil.com.br/wp-content/uploads/2019/06/LGPD-english-version.pdf (unoficial translation).
124 Ibid., Articles 33 to 36 of the Law n° 13.709/2018.
125 Brazil, Federal Constitution, https://www.stf.jus.br/arquivo/cms/legislacaoConstituicao/anexo/brazil_federal_constitution.pdf (accessed January 27, 2020) Article 5(X) provides the right to privacy as a fundamental right ‘X – the privacy, private life, honour and image of persons are inviolable, and the right to compensation for property or moral damages resulting from their violation is ensured’.
126 Canada, Personal Information Protection and Electronic Documents Act (PIPEDA), https://laws-lois.justice.gc.ca/PDF/P-8.6.pdf (accessed January 27, 2020). Besides, it is worth mentioning the Alberta Personal Information Protection Act (Alberta PIPA) and the Quebec Privacy Act.
127 The general standard is that the organisation responsible for the transfer ‘shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party’, as per Article 4.1.3 of the PIPEDA.
128 Privacy Commissioner of Canada, enacted under Section 53 of the Canadian Privacy Act (https://laws-lois.justice.gc.ca/eng/acts/p-21/index.html).
129 According to the Office of the Privacy Commissioner of Canada, ‘The Supreme Court of Canada has stated that the Privacy Act has “quasi-constitutional status”, and that the values and rights set out in the Act are closely linked to those set out in the Constitution as being necessary to a free and democratic society’. Office of the Privacy Commissioner of Canada, ‘An Overview of the Office of the Privacy Commissioner of Canada and Federal Privacy Legislation’, https://www.priv.gc.ca/en/about-the-opc/publications/guide_ind/ (accessed January 27, 2020).
130 Chile, Law 19.628/1999. Available at https://www.leychile.cl/Navegar?idNorma=141599 (accessed January 27, 2020).
131 Chile, Constitución Política, https://www.senado.cl/capitulo-iii-de-los-derechos-y-deberes-constitucionales/senado/2012-01-16/093413.html (accessed January 27, 2020). Included as a constitutional right in 2018. Article 19, 4° states that ‘4°.- El respeto y protección a la vida privada y a la honra de la persona y su familia, y asimismo, la protección de sus datos personales. El tratamiento y protección de estos datos se efectuará en la forma y condiciones que determine la ley’.
132 Colombia, Law 1581/2012, https://www.secretariasenado.gov.co/senado/basedoc/ley_1581_2012.html (accessed January 27, 2020). Also worth to mention Law 1266/2008, which regulates gathering, treatment and circulation of personal data in relation to financial and credit, commercial and service information, as well as that obtained from third countries, https://www.secretariajuridica.gov.co/transparencia/marco-legal/normatividad/ley-1266-2008 (accessed January 27, 2020).
133 See Article 26 of Law 1581/2012.
134 Colombia, Superintendencia de Industria y Comercio (Superintendent of Industry and Commerce – SIC). See more at https://www.sic.gov.co/tema/proteccion-de-datos-personales.
135 Colombia, Constitution, https://www.constituteproject.org/constitution/Colombia_2005.pdf (accessed January 27, 2020). Article 15 of the Colombian Constitution states that all individuals have the right to ‘know, update, and rectify information collected about them in data banks and in the records of public and private entities. Freedom and the other guarantees approved in the Constitution will be respected in the collection, processing, and circulation of data’.
136 Costa Rica, Protección de la Persona frente al tratamiento de sus datos personales (Protection of the Person over the processing of their personal data – Law n° 8968), https://www.pgrweb.go.cr/scij/Busqueda/Normativa/Normas/nrm_texto_completo.aspx?param1=NRTC&nValor1=1&nValor2=70975&nValor3=85989&strTipM=TC (accessed January 27, 2020).
137 The general rule is that there must be a valid and express authorisation for the transfer and that it respects the Costa Rica law’s principles and rights, as per Article 14 of the Law n° 8968.
138 Costa Rica, Agency for the Protection of Personal Data of Inhabitants (Agencia de Protección de Datos de los habitantes – Prodhab), https://www.prodhab.go.cr.
139 Costa Rica, Constitución Política de la Republica de Costa Rica, https://www.pgrweb.go.cr/scij/Busqueda/Normativa/Normas/nrm_texto_completo.aspx?nValor1=1&nValor2=871 (accessed January 27, 2020). Article 24 of the Constitution provides the right to privacy as a fundamental right, namely the right to intimacy, freedom and secrecy of communications.
140 It is worth mentioning, however, that according to local scholars ‘There are several sectoral rules that address information in a general sense and indiscriminately protect certain personal information depending on whether it is sensitive data or if it appears in databases of these sectors’ (Free translation, Zahira Bello and Yarina Fernández, ‘La protección de los datos personales en Cuba desde la legislación vigente’, Justicia juris (2017), 91, https://www.scielo.org.co/pdf/jusju/v12n2/1692-8571-jusju-12-02-00087.pdf (accessed January 27, 2020)).
141 Cuba, Constitución de la Republica, https://www.cuba.cu/gobierno/cuba.htm (accessed January 27, 2020). Articles 56 and 57 of the Cuban Constitution establishes the right to privacy in what refers to individuals’ houses and communications (cable, telegraph and telephone).
142 Dominican Republic, Ley sobre Protección de Datos Personales (Law n° 172–13), https://www.tribunalconstitucional.gob.do/transparencia/marco-legal/leyes/ley-172-13-sobre-protección-de-datos-personales/ (accessed January 27, 2020).
143 See Article 80 of Law n° 172–13.
144 Article 29 of Law n° 172–13 establishes as a control organ for data concerning credit the Superintendency of Banks (Superintendencia de Bancos), but there is no DPA.
145 Dominican Republic, Constitución Dominicana, https://dominicana.gob.do/index.php/pais/2014-12-16-20-52-13 (accessed January 27, 2020). Article 44 of the Dominican Republic Constitution provides for the right to intimacy and personal honour, expressly recognising citizens’ right to access personal data and right to be informed about its use.
146 Ecuador, Bill proposed in September 2019. See draft bill at https://ppless.asambleanacional.gob.ec/alfresco/d/d/workspace/SpacesStore/0735e2b3-6545-4f66-afe4-0d7eee51e6c5/Proyecto%20de%20Ley%20Org%E1nica%20de%20Protecci%F3n%20de%20Datos%20Personales%20Tr.%20379637.pdf.
147 Ecuador, Constitution, https://pdba.georgetown.edu/Constitutions/Ecuador/english08.html (accessed January 27, 2020). Article 66(19) of the Constitution guarantees ‘The right to protection of personal information, including access to and decision about information and data of this nature, as well as its corresponding protection. The gathering, filing, processing, distribution or dissemination of these data or information shall require authorization from the holder or a court order’.
148 Luis Andrés Marroquín, ‘Ley de Protección de Datos tendrá su propria superintendencia’, elsalvador.com (04 February 2020), https://www.elsalvador.com/noticias/nacional/ley-proteccion-datos-superintendencia/683392/2020/ (accessed May 03, 2020).
149 El Salvador, Constitution of the Republic of El Salvador, https://constitutionnet.org/vl/item/constitution-republic-el-salvador (accessed January 27, 2020). Article 2 provides as individual rights ‘The right to honor, personal and family intimacy, and one’s own image is guaranteed’.
150 Grenada, Grenada Constitution of 1973, https://pdba.georgetown.edu/Constitutions/Grenada/gren73eng.html (accessed January 27, 2020). Article 1(c) of the Grenadian Constitution states as a fundamental right the protection of privacy of home and other property.
151 Guatemala, The Initiative 4090 (Iniciativa 4090). Under discussion since 2010. See more at https://dca.gob.gt/noticias-guatemala-diario-centro-america/piden-aprobar-ley-de-proteccion-de-datos/.
152 Guatemala, Constitución Política de la Republica de Guatemala, https://www.ine.gob.gt/archivos/informacionpublica/ConstitucionPoliticadelaRepublicadeGuatemala.pdf (accessed January 27, 2020). The Constitution establishes as individuals’ rights the non-violation of property (Article 23) and the secrecy of correspondence and telephone, radio, cable and other modern technology communications (Article 24) (free translation by the authors).
153 Guyana, Constitution of the Co-operative Republic of Guyana Act, https://parliament.gov.gy/constitution.pdf (accessed January 27, 2020).
154 Haiti, La Constitution de La République D’ Haïti (1987), https://www.oas.org/juridico/PDFs/mesicic4_hti_const.pdf.
155 Honduras. The Ley de Protección de Datos Personales (Data Protection Law) is under discussion. See more at https://www.elheraldo.hn/pais/1246129-466/ley-de-vivienda-y-otras-quedaron-pendientes-en-el-congreso-nacional and https://www.accessnow.org/honduras-igf/ for first comments on the Bill.
156 The Institute for the Access to Public Information (Instituto de Acceso a la Información Pública – IAIP), already established in the country, would be the Data Protection Authority according to the Bill.
157 Honduras, Constitución Política de 1982, https://www.poderjudicial.gob.hn/CEDIJ/Leyes/Documents/Constitución%20de%20la%20República%20de%20Honduras%20%28Actualizada%202014%29.pdf (accessed January 27, 2020). Article 182 of the Constitution foresees the right to habeas data, namely that ‘Toda persona tiene el derecho a acceder a la información sobre sí misma o sus bienes en forma expedita y no onerosa, ya esté contenida en bases de datos, registros públicos o privados y, en caso de que fuere necesario, actualizarla, rectificarla y-o suprimirla’.
158 ‘Data Protection Bill to Go Before Parliament Soon’, The Cleaner Jamaica (January 25, 2020), https://jamaica-gleaner.com/article/news/20200125/data-protection-bill-go-parliament-soon (accessed January 27, 2020). Since 2017, the Data Protection Bill is under discussion. Jamaica, Data Protection Bill, https://japarliament.gov.jm/index.php/publications/bills/public-bills (accessed January 27, 2020).
159 Jamaica, The Jamaica Constitution Order in Council 1962, https://moj.gov.jm/sites/default/files/laws/Ja%20%28Constitution%29%20Order%20in%20Council%201962.pdf (accessed January 27, 2020). Section 13(3)(j)(ii) establishes as a right of everyone to ‘respect for and protection of private and family life and privacy of the home’ and Section 13(3)(j)(iii) to ‘protection of privacy of other property and of communication’.
160 Mexico, Federal Law on the Protection of Personal Data held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de Particulares – LFPDPPP), https://www.diputados.gob.mx/LeyesBiblio/pdf/LFPDPPP.pdf (accessed January 27, 2020). Besides, the General Law on Protection of Personal Data Held by Obligated Parties (Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados), 2017, https://inicio.ifai.org.mx/MarcoNormativoDocumentos/LEY%20GENERAL%20DE%20PROTECCIÓN%20DE%20DATOS.pdf (accessed January 27, 2020).
161 Ibid., Articles 36 and 37 of the LFPDPPP.
162 The National Institute of Transparency for Access to Information and Personal Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales – INAI). See more at https://inicio.ifai.org.mx/SitePages/English_Section.aspx
163 Mexico, Constitution, https://www.constituteproject.org/constitution/Mexico_2015.pdf?lang=en (accessed January 27, 2020). Article 6 establishes the right to information and to freedom of expression, foreseeing that, in order to accomplish that provisions, ‘Information regarding private life and personal data shall be protected according to law and with the exceptions established therein’. Besides, Article 16, which refers specifically to the right to privacy, states that ‘All people have the right to enjoy protection on his personal data, and to access, correct and cancel such data. All people have the right to oppose the disclosure of his data, according to the law’.
164 Nicaragua, Law n° 787, https://www.pgr.gob.ni/PDF/Constitucional/ley%20787.pdf (accessed January 27, 2020).
165 Ibid., Articles 13, 14 and 15 of Law n° 787.
166 The Directorate for the Protection of Personal Information (Dirección de Protección de Datos Personales) has not been enacted yet, but it is foreseen in the Law n° 787 (Art. 28).
167 Nicaragua, Nicaragua’s Constitution of 1987, https://www.constituteproject.org/constitution/Nicaragua_2005.pdf (accessed January 27, 2020). Article 26 states as individuals’ rights the right to private life (Art. 26(1)) and to ‘know all information that has been recorded about it in private and public entities, as well as the right to know why and for what purpose this information is used’ (Art. 26(4)).
168 Panama, Law n° 81 of 2019, Data Protection Law (Ley 81 de Protección de Datos Personales), https://www.panacamara.com/ley-81-de-2019/ (accessed January 27, 2020).
169 Ibid., Articles 31, 32 and 33 of Law n° 81.
170 Panama, Constitución Política de la República de Panamá, https://www.oas.org/es/sla/ddi/docs/P1%20Constitución%20de%20Panamá.pdf (accessed January 27, 2020). Article 42 of the Constitution establishes the Right to Informational Self-Determination, namely that ‘Toda persona tiene derecho a acceder a la información personal contenida en bases de datos o registros públicos y privados, y a requerir su rectificación y protección, así como su supresión, de conformidad con lo previsto en la Ley’. See also Article 29.
171 Other domestic laws regulate the matter (see e.g. Law n° 4868/2013 and Law n° 1682/2001), but a Data Protection Law is under discussion since 2019. See more at https://www.senado.gov.py/index.php/noticias/noticias-comisiones/2924-debaten-proyecto-de-ley-de-proteccion-de-datos-personales-2019-04-30-19-17-59.
172 Paraguay, Constitución de la República del Paraguay, https://digesto.senado.gov.py/archivos/file/Constitución%20de%20la%20República%20del%20Paraguay%20y%20Reglamento%20Interno%20HCS.pdf (accessed January 27, 2020). Article 33 of the Constitution establishes that ‘Personal and family intimacy, as well as respect for privacy, are inviolable’ (free translation by the authors).
173 Peru, Law n° 29733, Personal Data Protection Law (Ley n° 29733, Ley de Protección de Datos Personales – LPDP). Available at https://www.leyes.congreso.gob.pe/Documentos/Leyes/29733.pdf.
174 Ibid., Article 15 of Law n° 29733.
175 Peru, National Authority for the Protection of Personal Data (Autoridad Nacional de Protección de Datos Personales).
176 Peru, Constitución Política del Perú, https://www.minjus.gob.pe/wp-content/uploads/2019/05/Constitucion-Politica-del-Peru-marzo-2019_WEB.pdf (accessed January 27, 2020). Article 2(6) establishes as a fundamental right that ‘That computer services, computerized or not, public or private, do not provide information that affects personal and family privacy’. The Personal Data Protection Law is considered to be a normative development from that provision.
177 Saint Kitts and Nevis, Data Protection Bill 2018. The Bill is inspired in the Organization of the Eastern Caribbean States Model (available at https://www.oecs.org/en/oecs-library/e-gov/data-protection-act) See more at https://www.thestkittsnevisobserver.com/st-kitts-and-nevis-legislators-pass-data-protection-bill-2018/.
178 Saint Kitts and Nevis, Information Commissioner.
179 Saint Kitts and Nevis, Constitution, https://www.oas.org/juridico/PDFs/mesicic5_skn_constitution_annex1.pdf (accessed January 27, 2020). Article 3(c) of the Constitution establishes as a fundamental right the ‘protection for his or her personal privacy, the privacy of his or her home and other property and from deprivation of property without compensation’.
180 Saint Lucia, Privacy and Data Protection Act, https://www.govt.lc/media.govt.lc/www/resources/legislation/PrivacyAndDataProtectionBill.pdf (accessed January 27, 2020).
181 Ibid., Article 28 of the Privacy and Data Protection Act.
182 Saint Lucia, Data Protection Commissioner.
183 Saint Lucia, Constitution, https://www.oas.org/es/sla/ddi/docs/SL1%20Constitution.pdf (accessed January 27, 2020). Article 1(c) of the Constitution establishes the right to privacy as the right to ‘protection for his family life, his personal privacy, the privacy of his home and other property’.
184 In Saint Vincent and the Grenadines, the existing law related to the matter is the Freedom of Information Act (2003).
185 Saint Vincent and the Grenadines, Constitution 1979, https://www.oas.org/es/sla/ddi/docs/SVG%201%20Constitution.pdf (accessed January 27, 2020). Article 1(c) of the Constitution establishes the right to privacy as the right to ‘protection for the privacy of his home and other property’.
186 Suriname, The Constitution of The Republic of Suriname, Bulletin of Acts and Decrees 1987 no. 166, https://www.oas.org/juridico/PDFs/mesicic4_sur_const.pdf (accessed January 27, 2020). Article 17 provides that ‘Everyone has a right to respect for his privacy(…)’ (Art. 17(1)) and that ‘The confidentiality of correspondence, telephone and telegraph shall be inviolable’ (Art. 17(3)).
187 Trinidad and Tobago, Data Protection Act (DPA), https://www.ttparliament.org/legislations/a2011-13.pdf (accessed January 27, 2020).
188 Ibid., Article 46 of the DPA.
189 Trinidad and Tobago, Office of the Information Commissioner.
190 Trinidad and Tobago, Constitution of the Republic of Trinidad and Tobago Act, 1976, https://laws.gov.tt/pdf/Constitution.pdf (accessed January 27, 2020). Article 4(c) recognises ‘the right of the individual to respect for his private and family life’.
191 United States of America, Privacy Act of 1974, available at https://www.justice.gov/opcl/file/631151/download (accessed January 27, 2020). Other laws make part of the data protection framework in the country. In the state level, it is worth mentioning the California Consumer Privacy Act of 2018 (CCPA).
192 Federal Trade Commission and other sector-specific regulators.
193 The United States of America Bill of Rights, in its Fourth Amendment, establishes the right of the people ‘to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures’. For a short opinion article about the matter, see Josephine Wolff, ‘Losing Our Fourth Amendment Data Protection’, The New York Times (April 28, 2019), https://www.nytimes.com/2019/04/28/opinion/fourth-amendment-privacy.html (accessed May 03, 2020).
194 Uruguay, Law n° 18331, https://www.impo.com.uy/bases/leyes/18331-2008. Personal Data Protection Law (Ley n° 18331 – Ley de Protección de Datos Personales).
195 See Article 23 of the Law n° 18331.
196 Uruguay, Unidad Reguladora y de Control de Datos Personales (URCDP). See more at https://www.gub.uy/unidad-reguladora-control-datos-personales/
197 Uruguay, Constitucion de la Republica, https://www.impo.com.uy/bases/constitucion/1967-1967 (accessed January 27, 2020). Article 1 of Law n° 18331 establishes the data protection right as a inherent right to the human being, being it comprised at Article 72 of the Constitution, which establishes that ‘The enumeration of rights, duties and guarantees made by the Constitution does not exclude others that are inherent to the human being or derive from the republican form of government’ (free translation by the authors).
198 Venezuela, Constitucion de la Republica Bolivariana de Venezuela, 1999, https://www.oas.org/dil/esp/constitucion_venezuela.pdf (accessed January 27, 2020). Articles 47 and 48 of the Constitution guarantees the inviolability of home and of communication in all forms.