The ICT sector in front of the Protection of Personal Data Law Draft
On September 10th this year, the National Authority of Transparency and Access to Information (ANTAI in Spanish) in conjunction with the National Authority for Government Innovation (AIG in Spanish) published a new version of the Draft Law on Protection of Personal Data. In this new version, were added components based on suggestions received by the authorities previously listed as sponsors of the project, in addition to civil society organizations interested in the subject over different events, forums or consultations.
What does this law pursue?
The spirit of this Law was to protect the information of the people, with the interest to comply with what sorts the Panamanian Constitution with regard to the privacy of the same. We believe that the following definitions are the most important within the legal system:
- Data Storage: Conservation or custody of data in a database, established in any medium provided by information and communication technologies (ICT).
- Personal Data: Any information concerning natural persons, which identifies them or makes them identifiable.
- Custodian of the Database: Natural person or legal entity, public or private, profit-making or not, who is responsible for the custody and preservation of the Database, commissioned by the person responsible for the processing.
It is important to note that according to the draft Law, all the databases based in the territory of the Republic of Panama, shall be subject to this law, without establishing the reason or the use of the Database.
Some experts in the field consider similar definitions as overly broad definitions that could affect or cover more information or data that a law of this type should ensure.
Who would be bound by this Law of Protection of Personal Data?
Any company that has, either for their own use or for sale, a database containing personal data. Based on this premise, we believe that this applies to the following platforms:
- Customer Relationship Management (CRM)
- Newsletter Sending – E-Mail Advertisement
- Loyalty Program
- Analysis of data related to websites traffic
- Enterprise Resource Planning System (ERP)
- Any Cloud-based Service
What should these companies do to reduce the legal risk of breaching this law in the event of approval?
The document that we have been able to analyze, establishes that companies must take all necessary steps to ensure that the data will be protected in a consistent manner, which for us is transformed into:
- Strengthening its security measures to prevent intruders from their servers or IT infrastructure.
- Establishing policies for the management of information and codes of conduct for persons who will be managing these data, adopting international standards such as ISO 27001.
- Updating the terms and conditions of the service they are providing and communicate it to their customers.
- Refraining from trade or transfer databases containing personal data to third parties.
Any damage that may be caused to a person due to failure to comply with this law could convert the owner of the database into the responsible for both civil and criminal matters.
The adoption of this law will require education for the ICT sector by several aspects, namely:
- Worrying about securing their databases for internal use as a tool of the business.
- Developing applications that do not compromise or put at risk the end-user data.
- Setting a limit to the responsibility to end customers for the damage produced by the misuse of personal data.
- What is the experience in countries or regions with restrictive laws?
Several scholars on the subject concur that, in many countries or regions in which there are restrictive laws or regulations on data protection, entrepreneurship has decreased or companies have moved from these countries looking for locations with legislation that has minimal restrictions, as is case in the United States.
It is important to highlight that the frames of reference for this Regulations are the legal systems of the European Community, being one of the most restrictive, and the American, that rather than banning everything and establishing derogations, adopted a totally contrary modality. They clearly state what can be done with personal data, allowing the rest of the actions, in addition to not having an exclusive agency or authority to view the topic.
We will keep an eye on developments on this issue, which is based on the Declaration of Principles, the Inter-American Commission on Human Rights, which third principle reads: “Every person has the right to access to information about himself or herself or his/her assets expeditiously and not onerously, whether it be contained in databases or public or private registries, and if necessary, update, modify and/or amend it.” This same right is recognized in the American Convention on Human Rights in its article 13.2 and 11, which protects the right to privacy, the honor, and reputation of individuals.